A strong internal audit can be the difference between catching a security failure and spending weeks and months doing a forensic investigation of a breach.
With this in mind, professional services firm PricewaterhouseCoopers (PwC) released a whitepaper outlining how internal audits have become a key pillar of security strategies in the age of data breaches and what companies can do to overcome some common hurdles to audit effectiveness.
“Internal audit departments need strong governance, which leads to respect, credibility and visibility,” said Carolyn Holcomb, leader of PwC’s Risk Assurance Data Protection and Privacy practice.”If they don’t have the right visibility or governance, they’re just not heard and unfortunately, this happens frequently.”
Even with compliance regulations in place, most companies tend to do the minimum, so strong governance is important to make sure the regulations are effective at providing a level of security, she said.
In the whitepaper, the firm details a number of pitfalls audit efforts can face, such as the belief that adequate security measures are already in place or audits can be undercut by fragmented responsibility for security controls.
According to Holcomb, PwC is seeing a trend where companies are forming risk committees at the board level so that the committee can assess and understand the privacy and information security risks of the organization. Many businesses are looking externally for these individuals because they aren’t often found serving as board members, she said.
“Because information security and privacy can often be technical, individuals without experience in this area may not understand it,” she said. “As a result, the auditors of information security and privacy may be communicating risks and concerns, but to senior management or boards who don’t fully understand and appreciate the risks.”
In addition, she said, boards need to be more educated about the hacks their management teams are detecting and preventing to improve their understanding of the threat level. “Increased governance and visibility for the information security and privacy professionals within organizations and increased communication with the board can increase this education and awareness,” she said.
This board-level support for audits is very important, she said, and roles and responsibilities for privacy and security with the management need to be defined. It is also important that the audit highlight and assess the organization’s significant data security and privacy risks and include any information about threats that may be on the horizon when it is presented to the audit committee, the firm noted in the paper.
“No matter how strong a company’s data security policies and controls are, a company won’t really know the adequacy of its defense if it doesn’t continually verify that those defenses are sound, uncompromised and applied in a consistent manner,” said Jason Pett, PwC’s U.S. internal audit services leader, in a statement.
“Internal audit has to play a far more substantial role in information security, and audit committees must also increase their attention on the increasing risk, heightening the expectations they place on internal audit to place adequate focus on data security and privacy concerns,” Pett’s statement said.